Skip to content

Configure Outbound Provisioning with Google

This topic provides instructions on how to configure Google as the Identity Provider to provision users from MWARE IAM. The service provider in this scenario is MWARE IAM.

Before you begin!

You need to have a Google domain. Click here for more information on creating the domain.


Configure Google

In this section, you are going to create a service account using the Google domain you created before you started this guide.

  1. Open the Google developers console to create a new project.

    create-a-new-project

  2. Create a new project:

    1. Click CREATE PROJECT on the top of the page.

    2. Provide a name for your project and click Create.

    add-project-name

  3. Search for the project you created and click it.

  4. Create a service account for the project you created.

    1. Click IAM and admin > Service accounts.

    2. Click Create service account on the top panel.
      create-service-account

    3. Fill in the form to create the service account:

      • Provide a service account name and click on Create.

        add-account-name

      • Optionally, assign a role from the list of roles given.

      • Click on Continue.
      • Click on Create Key.

        create-key

      • Choose your key type as P12 and click on Create.

    4. Click CREATE.
      The Service account and key created message is displayed and the service account's P12 file is downloaded to your machine.

      key-created

      Info

      Remember the location and name of this downloaded file as it is required later on in this guide.

  5. Get the Client ID of the service account.

    1. Click IAM and admin > Service accounts. Choose Edit from the action items corresponding to the service account you just created. edit-service-account

    2. Click on Show domain-wide delegation.

    3. Select Enable G Suite Domain-wide Delegation, give a product name of your choice, and click SAVE.

      enable-g-suite-domain-wide-delegation

    4. Click View Client ID and copy the value for the Client ID.
      copy-client-id

  6. Manage the API client access:

    1. Go to your domain's admin console via https://admin.google.com.
    2. Click Security.

      admin-console-security

    3. Click Advanced settings > Manage API client access.

    4. Fill the following values:

      1. Paste the Client ID value you copied previously as the value for Client Name.
      2. Enter https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.orgunit,https://www.googleapis.com/auth/admin.directory.group as the value for scopes.
      3. Click Authorize.

      manage-api-client-access

  7. Enable Admin SDK.

    1. Open the Google developers console.
    2. Click the menu icon, and click APIs & Services > Dashboards.
    3. Click on Enable APIs AND Services.
    4. Search for Admin SDK and click Enable.

      admin-sdk


Configure email address as the username

Provisioning is the process of coordinating the creation of user accounts, e-mail authorizations in the form of rules and roles, and other tasks such as provisioning of resources associated with enabling new users.

  1. Download MWARE IAM from here.
  2. When you log into Google, you normally use an email address. So, to integrate this with the Identity Server, you need to configure WSO2 IS to enable users to log in using their email addresses. In order to do that, follow the steps found in Using Email Address as the Username topic.
  3. Restart MWARE IAM using the -Dsetup parameter. This parameter is required because the username and password of the admin user was updated.

    sh wso2server.sh -Dsetup

Now that you are done with configuring MWARE IAM to use the email address, configure the identity provider and the service provider.


Configure Google as the identity provider

This section includes steps on how to register Google as an Identity Provider.

  1. Start the MWARE IAM if it is not started up already, and log in using the email you configured for the realm configurations as instructed above in step 2 of Configuring the Identity Server to use the email address as the username.
  2. On the Management Console, navigate to Main > Identity > Identity Providers > Add.
  3. In the form that appears, provide a name for your identity provider by filling in the Identity Provider Name, such as Google.com, and optionally, add a description.

  4. Expand the Outbound Provisioning Connectors and click Google Provisioning Configuration section.

  5. Do the following configurations for Google provisioning.

    See here for more information on these fields

    Field Description Sample value
    Enable Connector Selecting this enables identity provisioning through the Google domain. Selected
    Google Domain The name of the Google domain used to provision users. mygoogledomain.com
    Primary Email Claim URI which will be used to retrieve primary email address for the account to be created. This must be a claim that is available and local in the Identity Server. http://wso2.org/claims/emailaddress
    Given Name Claim URI which will be used to retrieve given name attribute for the user. This must be a claim that is available and local in the Identity Server. http://wso2.org/claims/givenname
    Family Name Claim URI which will be used to retrieve the family name attribute for the user. This must be a local claim that is available and local in the Identity Server. http://wso2.org/claims/lastname
    Service Account Email This email is used for authentication purposes. d343s86gf@developer.gserviceaccount.com
    Private Key Browse and attach the private key from your local machine. This is the PKCS12 private key generated at the service account creation <uploaded_file>
    Administrator's Email This is the email of the administrator who owns the service account in the Google Domain specified. Provisioning takes place using this email, so specifying this here serves as a means for authentication. om@mygoogledomain.com
    Application Name This is the name of the application which is used to represent the Google connector. Domain
    Google Outbound Provisioning pattern

    This pattern is used to build the user id of Google domain. Combination of attributes UD (User Domain), UN (Username), TD (Tenant Domain) and IDP (Identity Provider) can be used to construct a valid pattern.

    This is a way to differentiate following scenarios:
    If there are several tenants and you must configure Google outbound provisioning for same Google domain in those tenants.
    If there are several user stores and you must configure the specific user store that needs to be provisioned.
    If there are multiple identity providers configured for same Google domain.

    {UD, UN, TD, IDP}
    Google Provisioning Separator This is used to separate the values that you configure in the Google Outbound Provisioning pattern. For this, it is better to use a character that is not normally used in the user domain/username/tenant domain/idp name. For example: "_"

    google-provisioning .

    1. Select Enable Connector to enable the Google connector.
    2. Enter your Google domain name.
      For example, in this guide, mydomain.com is used as the domain name.
    3. Select the claim URI for the Primary Email.
      For example, use http://wso2.org/claims/emailaddress.
    4. Select the claim URI for the Given name.
      For example, use http://wso2.org/claims/givenname.
    5. Select the claim URI for the family name.
      For example, use http://wso2.org/claims/lastname.
    6. Enter your service account ID as the value for the Service Account Email.

      Can't remember your service account ID?

      Follow the steps given below:

      1. Open the Google developers console and click the Menu icon in the top left corner.
      2. Click IAM and admin > Service accounts.
      3. Note the service account ID of your service account.
    7. Attach the private key you downloaded in step 4.e under Configuring Google as the Private Key.

    8. Enter the email address you created using your domain before starting this tutorial as the Administrator's Email.
    9. Enter a name for your application in the Application Name field. It is used to help you identify requests made by this Google client.
    10. Enter {UD,UN,TD,IDP} as the value for Google Outbound Provisioning Pattern. This pattern is used to build the user id of Google domain.
    11. Enter _ (the underscore character) as the value for the Google Provisioning Separator.

    google-prrovisioning-config

  6. Click Register.


Configure MWARE IAM as the resident service provider

  1. In the Main menu under the Identity section, click Resident under Service Providers.
  2. Expand the Outbound Provisioning Configuration on the screen that appears.
  3. Select the Google identity provider you configured from the drop down and click the outbound-provisioning-icon button.

    Info

    If you enable Blocking, Identity Server will wait for the response from the Identity Provider to continue.

    If you enable Enable Rules and Blocking, blocking will block the provisioning till the rule completely evaluates and get the response back to the WSO2 IdP. Afterwards, you need to enable the XACML policy. For more information, see Rule-Based Provisioning

  4. Click Update.


Manage users

The next step is to check if Google is configured properly with the Identity Server. If you add a user to the Identity Server via the management console, this user should also appear in Google too.

  1. On the Main tab in the Management Console, Navigate to Main > Identity > Users and Roles > Add.
  2. Click Add New User.
  3. Enter the username in the form of an email and enter the password.

    Info

    Later on, if you want to update the user details, you won't be able to update the email address.

  4. Assign a role to the user.

  5. Click Finish.
  6. In Google, log into admin console of your domain.
    On the left navigation pane, expand Users and click Users. You will see that the user you created in the Identity Server has been added to Google as well.

You have successfully completed the configurations to provision users from MWARE IAM to Google.


Top